From nobody Wed Sep 04 20:54:13 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzZVG0B2Xz5VMSY; Wed, 04 Sep 2024 20:54:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzZVF4lKcz4Q4d; Wed, 4 Sep 2024 20:54:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725483253; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P/FncMrYdMkt8K88/v157wKV5hsLu57iZ+I0b83RcnQ=; b=ClmYmNIsHKiGsnNT2JceCOIlIxFzm3w5uMHJg/JzgdoEHXfzyUT8rcMHaw2ABczUzBeEgo pYIiX4ny2ktm/WnL7GJ3t6EYLyymqv8u7ZpqzrxM1DfZgpHDdau2PMGrppIWxGc6wTHcLz NU1ulYtQ7g5XKLX/yT5kXiYcMEfn+corz8MmjjVkU7Lku3BjjMeOBlYkFKW81GOAu1ohlO 4Qs2FSGuwuvQlhMhOYRKoCsVM6rjNcGbTWgnDiVm/hSrU5PqL2c8p7D/b4mEYg2/TaB+dq ztkv0jVcXpyVJF9i0c6r3QusbsbQvfokcklFX9zSn1zrZYQZsUSbW83fEhpqfg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725483253; a=rsa-sha256; cv=none; b=LqM0qPP57IOnChMlCpzM4uF42omGpv8r1721p1iPjkHdyBEx3kxzlHL/J+icJ9PzTAfuDr M6QrWARvwJDSHzkorX997BROJoGO+bIUs1UJjn/X1Q4IK56Kd1ju8qF9i4Gt1m1FYGYV5F lrK79gEee5KtCFWfGRDFA8dtX1L1A5L+bMlxPQegvF+T2npHl8RQ9hOk6ceOv/AW7Niek1 z91YnfahlCcGPyf/TGA2johU8jfBrVDkeOQgi524yWYm73QfY2FrmojFVuCr2EhCkBCgfT uayRC6zZgeXwENr1GAJ0Lhi6NlUh4hDON5SYEgTgA0GMFJJWyGfQbcJA/hSnKQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725483253; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P/FncMrYdMkt8K88/v157wKV5hsLu57iZ+I0b83RcnQ=; b=CV0/lXIwJxzuWmqdSkh3IRz3h5y8RQE4eW8bN6D6CDzxMmrPm6tm0ol2qi4p5ylmRCeiTq pB19toiU+HwdAsdljVSPb6MseEueXz4rQhG2BiVYUHGTOTrNNhSWt96XIuhfC/sGO9WLYA rxD0VUkAeLcwTwHKsPzO3hhxPlWbEjrPxGPQ8FIYwCEOChOuoBSxps1zWqvmVyebkbgVRW UXhfcd0ZtqUB+yBJUIbd+AZMP76SNCIiIoV70p3s7SmOpUZ534m/a0Lo189ECg7paNWun4 60gckG3wRbgXfqgEIwGrnasSrTa/XJZt1rgbXHkuUsCARZKi2UoVVyJun8cxLw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WzZVF4KLdzgMq; Wed, 4 Sep 2024 20:54:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 484KsDcP033735; Wed, 4 Sep 2024 20:54:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 484KsDFC033732; Wed, 4 Sep 2024 20:54:13 GMT (envelope-from git) Date: Wed, 4 Sep 2024 20:54:13 GMT Message-Id: <202409042054.484KsDFC033732@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 429f200688ca - releng/14.0 - bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.0 X-Git-Reftype: branch X-Git-Commit: 429f200688ca621250bca2dae3602d8153858f08 Auto-Submitted: auto-generated The branch releng/14.0 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=429f200688ca621250bca2dae3602d8153858f08 commit 429f200688ca621250bca2dae3602d8153858f08 Author: Pierre Pronchery AuthorDate: 2024-09-04 14:38:11 +0000 Commit: Ed Maste CommitDate: 2024-09-04 20:53:58 +0000 bhyve: fix Out-Of-Bounds read/write heap in tpm_ppi_mem_handler The function tpm_ppi_mem_handler is vulnerable to buffer over-read and over-write, the MMIO handler serves the heap allocated structure tpm_ppi_qemu. The issue is that the structure size is smaller than 0x1000 and the handler does not validate the offset and size (sizeof is 0x15A while the handler allows up to 0x1000 bytes) Reported by: Synacktiv Reviewed by: corvink Security: FreeBSD-SA-24:10.bhyve Security: CVE-2024-41928 Security: HYP-01 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45980 (cherry picked from commit a06fc21e770a482c8915411ebc98c870e42dd29b) (cherry picked from commit 6ce4821f0859eb00e1754917e1471184755b6358) Approved by: so --- usr.sbin/bhyve/tpm_ppi_qemu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bhyve/tpm_ppi_qemu.c b/usr.sbin/bhyve/tpm_ppi_qemu.c index 8bea45ea3208..11a306077108 100644 --- a/usr.sbin/bhyve/tpm_ppi_qemu.c +++ b/usr.sbin/bhyve/tpm_ppi_qemu.c @@ -26,7 +26,7 @@ #include "tpm_ppi.h" #define TPM_PPI_ADDRESS 0xFED45000 -#define TPM_PPI_SIZE 0x1000 +#define TPM_PPI_SIZE 0x400 #define TPM_PPI_FWCFG_FILE "etc/tpm/config" @@ -101,7 +101,7 @@ tpm_ppi_init(void **sc) struct tpm_ppi_fwcfg *fwcfg = NULL; int error; - ppi = calloc(1, sizeof(*ppi)); + ppi = calloc(1, TPM_PPI_SIZE); if (ppi == NULL) { warnx("%s: failed to allocate acpi region for ppi", __func__); error = ENOMEM;